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Abstract. In this paper we obtain conditions on the divisors of the group 
order of the Jacobian of a hyperelliptic genus 2 curv e, gen erated by the comple x 
multiplication method described by IWend HoojJ and iGaudrv et ~al \200& \. 
Examples, where these conditions imply that the Jacobian has a large cyclic 
subgroup, are given. 



1. Introduction 

In elliptic curve cryptography it is essential to know the number of points on the 
curve. Cryptographically we are interested in curves with large cyclic subgroups. 
Such elliptic curves can be constructed. Th e construction is based on the theory of 
complex multiplication, studied in detail bv lAtkin and Morainl(|l993h . It is referred 
to as the CM method. 



Koblitz l|l989l ) suggested the use of hyperelliptic curves to provide larger group 



orders. Therefore constructions of hyperelliptic curves are interesting. The CM 
method for ell iptic curves has been generalized to hyperelliptic c urves o f genus 2 by 
SDallekl 11 9941. and efficient algorithms have been proposed by IWengl l|2003t ) and 



Gaudrv et aH (|2005f ). 



Both algorithms take as input a primitive, quartic CM field K, and give as 
output a hyperelliptic genus 2 curve C over a prime field F p . A prime number p is 
chosen such that p = ujuj for a number w £ Ok, where Ok is the ring of integers 
of K. We have K = Q(ry) and K n R = Q(-/D), where r\ = iy/a + b£ and 



l+V^P 

2 ' 



ifZ> = l (mod 4), 
\/D, if D = 2, 3 (mod 4). 



Write lo = ci + C2<£ + (03 + 24^)77, c\ € Z. Let C be a hyperelliptic curve of genus 2 
over F p with End(C) ~ Ok- The Jacobian 8c (F p ) is isomorphic to 

(1) Z/raiZ x Z/n 2 Z x Z/n 3 Z x Z/n 4 Z, 

where m \ Uj+i and 712 \ p — 1. In this paper, conditions on the prime divisors 
of the number 712 are obtained, and examples, where these conditions imply that 
the Jacobian 3c (F p ) has a large cyclic subgroup, are given. The conditions on the 
prime divisors are given by the following theorem. 



2000 Mathematics Subject Classification. Primary 14H40; Secondary 11G15, 14Q05, 94A60. 
Key words and phrases. Jacobians, hyperelliptic curves, complex multiplication, cryptography. 
Research supported in part by a Ph.D. grant from CRYPTOMAThlC. 

1 



2 



C.R. RAVNSH0J 



Theorem 1. Let C/F p be a hyperelliptic curve of genus 2 with End(C) ~ Ok, 
where K is a primitive, quartic CM field. Assume that the structure of dc(¥p) is 
given by |T|). Let £ \ n 2 be an odd prime number. Then £ < Q, where 

Q = max{a, D, a 2 - b 2 D}, 
if D = 2,3 (mod 4), and 

Q = max{a, D, 4a(a + b) - b 2 (D - 1), aD + 2b(D - 1)}, 
if D = 1 (mod 4). If£>D, then a = 1 (mod £) and c 2 = (mod I). 
Remark 2. Since the number n 2 \p—l and I \ 112, it follows that I 7^ p. 

2. Hyperelliptic curves 

A hyperelliptic curve is a smooth, projective curve C C P™ of genus g > 2 with 
a separable, degree 2 morphism : C — ► P 1 . Let C be a hyperelliptic curve of 
genus g = 2 defined over a prime field F p , where ¥ p is of characteristic p > 2. By 
the Riemann-Roch theorem there exist an embedding ip : C — > P 2 , mapping C to a 
curve given by an equation of the form 

y 2 = fix), 



wher e / € ¥ p [x] is of degree deg(/) = 6 and have no multiple roots (see lCassels and Flvnn 
1996, chapter 1). 

The set of principal divisors 3 } (C) on C constitutes a subgroup of the degree 
divisors Divo(C). The Jacobian 3c of C is defined as the quotient 

dc = Div (c)/a>(c). 

Let i 7^ p be a prime number . The £"-tor sion subgroup 3c [^™] < 3c of elements of 
order dividing l n is then by I Langl . 19591 theorem 6, p. 109) 



3 c [£ n ] ^ z/rz x z/rz x z/rz x z/rz. 

An endomorphism i/3 : 3c — > 3c induces a Z^-linear map 

W : T e {3 c ) -» T,(3 C ) 

on the £-adic Tate-module Tt(3c) of 3c (|Langl . Il959l chapter VII, §1). Hence 95 is 
represented on 3c\£\ by a matri x M g Mat4 x4 (Z/£Z). Let P(A) G Z[X] be the cha- 
racteristic polynomial of <p (see lLang . 19591. pp. 109-11 0) and Pm(X) £ (Z/£Z)[X] 



the characteristic polynomial of M. Then I Langl . Ll959l theorem 3, p. 186) 



(2) P(X) = P M (X) {modt). 

Since C is defined over F p , the mapping (x, y) 1— > (x p ,y p ) is an isogeny on C. 
This isogeny induces an endomorphism ip on the Jacobian 3c, the Frobenius endo- 
morphism. The characteristic polynomial P(X) of <p is of degree 4 l|Tatd . [l966, 



theorem 2, p. 140). Theorem Q] will be established by using the identity ([2]) on the 
Frobenius. 
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3. CM FIELDS 

An elliptic curve E with Z ^ End(-B) is said to have CM. Let K be an imaginary, 
quadratic number field with ring of integers Ok- K is a CM field. If End(£?) ~ Ok, 
then E is said to have CM by Ok- More generally a CM field is defined as follows. 

Definition 3 (CM field) . A number field K is a CM field, if if is a totally imaginary, 
quadratic extension of a totally real number field Kq. 

In this paper only CM fields of degree [K : Q] = 4 are considered. Such a field is 
called a quartic CM field. Let K — K n K. Then A is a real, quadratic number 
field, -ffo = Q.("vD), Since if is a totally imaginary, quadratic extension of Kq, a 
number rj G K exists, such that K = Ko(rj), if <G K$. The number 77 is totally 
imaginary, and we may assume n = irjo, rjo 6 R, and that — rj 2 is totally positive. 

Let C be a hyperelliptic curve of genus g = 2. Then C is said to have CM by Ok, 
if End(C) ~ Ok- The structure of K determines whether C is irreducible. More 
precisely, the following theorem holds. 

Theorem 4. Let C be a hyperelliptic curve of genus 2 with CM by Ok, where K is 
a quartic CM field. Then C is reducible if, and only if, Kj Q is Galois with Galois 
group Gal(AVQ) ~ Z/2Z x Z/2Z. 

Proof. ()Shimura l. ll998l proposition 26. p. 61). □ 
Theorem |4] motivates the following definition. 

Definition 5 (Primitive, quartic CM field). A quartic CM field K is called primi- 
tive if either K/Q is not Galois, or K/Q is Galois with cyclic Galois group. 



4. The CM method for genus 2 
The CM method for genus 2 is described in detail bv lWengl (|20Q3h and lGaudry et aa 



(2005). In short, the CM method is based on the construction of the class polyno- 



mials of the number field K. The prime number p has to be chosen such that 
(3) p = u}W 

for a number w G Ok- There are 2 approaches to choose such a prime number p. Ei- 
ther pick a random prime number p, and try to solve the complex norm equation ([3]) 
in Ok, or generate a number uj G Ok, such that ujUj is a prime number. The first 
approach needs deep theory, e.g. class groups. The second can be implemented in 
a short algorithm, and is based on elementary theory. Moreover, empirical results 
indic ate that the elementary method is the faster of the two approaches ( Wengl . 



20031 . table 1). Thus the elementary method is preferable. The algorithm is given 



i n figu r e [TJ fo r D = 2,3 (mod 4). The algorithm for D = 1 (mod 4) is similar 
()Wengl . liuOil . section 8). 



Remark 6. In either way we get an ui € Ok with ujUj = p. We may assume that 
u> fulfils the additional condition gcd(c3,C4) = 1, where the numbers C3 and C4 are 
given by equation Q in section [H In the first approach, if uo does not fulfil this 
condition, we can just pick another prime number p. In the elementary method we 
can incorporate this condition in the algorithm. 
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Input: CM-field K = Q ^Vo + feV^) • 
Output: Prime p — touJ and to € Dif . 

(1) Choose random numbers 03,04 € Z such that gcd(c3,C4) = 1 and 
clb- c\bD = (mod 2). 

(2) Set 2n := -2c 3 c 4 a - cf& - cjbD. 

(3) Choose ci at random as a divisor of n. 

(4) Set c 2 := ra/cj.. 

(5) Set p := + c|_D + c|a + c^aD + 2c^c^bD. If p is not a prime number, 
start again. 

(6) Set to := a + c 2 V~D + (c 3 + c i v r D)i\ / a + bV~D. 

Figure 1. Elementary method to choose a prime number p = toco 
in the case D = 2, 3 (mod 4). 



5. Properties of 3cOF p ) 

Let if be a primitive, quartic CM field with real subfield Kq = Q(V^D) of class 
number h(Ko) — 1. Write X = Q(?7), where 77 = ?V a + 6£ and 

'±±^1, ifZ> = l (mod 4), 
if D = 2, 3 (mod 4). 

We may assume that a ± b\ft),a + b x± ^ > 0, cf. section [31 Let p be a prime 
number such that 

p = toco 

for a number to G £> = £>^ + i]Ok - Since h(K ) = 1, we can write 

(4) w = ci + c 2 £ + (c 3 + c 4 £)?7, Q G Z. 

We may assume gcd(c3, c 4 ) = 1, cf. remark |£l Let C/F p be a hyperelliptic curve of 
genus 2 with CM by Ok- Write 

(5) 3c(T P ) - Z/mZ x Z/n 2 Z x Z/n 3 Z x Z/n 4 Z, 

where | rij+i and n 2 \ p— 1 (see Frey and Langd . 20061 . proposition 5.78, p. 111). 
Depending on the remainder of D modulo 4, we obtain conditions on the prime 
divisors of the number 77,2. 

Theorem 7. Let C/¥ p be a hyperelliptic curve of genus 2 with CM by Ok- Assume 
that the structure of 3c{^p) is given by J5|). Let £ \ n 2 be an odd prime number. 
Then £ < Q, where 

Q = max{a, D, a 2 — b 2 D}, 
ifD = 2,3 (mod 4), and 

Q = max{a, D, 4a(a + b) - b 2 (D - 1), aD + 2b(D - 1)}, 
ifD = 1 (mod 4). If£>D, then a = 1 (mod t) and c 2 = (mod £). 
Proof. Assume D = 2, 3 (mod 4). Since toTo = p we find that 

(6) p = c\ + c 2 2 D + cja + cjaD + 2c 3 c 4 bD, 

(7) = 2cic 2 + C36 + c\bD + 2c 3 c 4 a. 
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Let P{X) be the characteristic polynomial of the Probenius tp. 

4 

P{X) = Y[{X - uji) =X 4 - 4 Cl X 3 + (2p + 4(c 2 - c 2 2 D))X 2 - AcipX + p 2 . 
i=i 

Here u>i are the roots of P(X). 

Let £ | ri2 be an odd prime number. Then by equation |(5]) the Jacobian 3c (^p) 
contains a subgroup U ~ (Z/£Z) 3 . As 

(z/ezf <3c(w P )[e] <3c[t], 

the Frobenius cp is represented on 3c [£] by a matrix 

"l mi 

1 m 2 

1 TO 3 

m 4 

Notice that m 4 = det(M) = deg(ip) = p 2 (mod £). Since p = 1 (mod £), M has 
the characteristic polynomial 

P M (X) = (X- l) 4 = X 4 - 4A 3 + 6X 2 -4X + 1 (mod £). 

Now P(X) = P M (X) (mod 1). Thus 

ci = cf - c 2 .!) = 1 (mod £), 

since £ ^ 2. 

Assume £ > D. Then 

(8) ci = 1 (modf), c 2 = (modf). 
By the equations ([6]) and ([7]), we get 

c 2 + c\D + cja + c\aD + 2c 3 c 4 bD = 1 (mod t), 
2cic 2 + c 2 3 b + cjbD + 2c 3 c 4 a = (mod £). 
Therefore, by equation ((8|), the following holds. 

(9) cja + cjaD + 2c 3 c 4 bD = (mod £), 

c 2 3 b + c\bD + 2c 3 c 4 a = (mod I). 

It follows that 

c 3 c 4 (a 2 — b 2 D) = (modf). 

Herea 2 -6 2 L> = (a + b^)(a-byf~D) > 0, since a±b\f~D > 0. Assume £ > a 2 -b 2 D. 
Then we get C3C4 = (mod £). Thus either C3 = (mod £) or C4 = (mod £). 

Assume £ > a. If C3 = (mod £), then c 2 aD = (mod £) by equation J9]), i.e. 
C4 = (mod £). On the other hand if c 4 = (mod £), then c 2 a = (mod i.e. 
c 3 = (mod £). 

Summing up, c 3 = c 4 = (mod if I > max{a, D, a 2 — b 2 D}. But this contra- 
dicts gcd(c3,C4) = 1. Therefore £ < max{o, D, a 2 — b 2 D}, and the case D = 2,3 
(mod 4) is established. 
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Now consider the case D = 1 (mod 4). Since ujoj = p, we now find that 
P = cj+ Cl c 2 + -4(1 +D) + 4(a+ -bj + c 3 c 4 (-&(£> + 1) + aj 
+ <%(±b{3D + l) + ±a(D + lj), 

= c lC2 + ^c 2 + \f\b + c 3 c 4 (a + b) + 4 (ho{D + 3) + . 

The characteristic polynomial of the Frobenius <p is given by 

P(X) = A 4 - (4ci + 2c 2 )X 3 + (2p + (2 Cl + c 2 ) 2 - 4D)X 2 

- (4ci + 2c 2 )pA +p 2 . 

Let I | n 2 be an odd prime number. As in the case D = 2, 3 (mod 4), the Fro- 
benius (p is represented on 3c [I] by a matrix M with the characteristic polynomial 

P M (X) = X 4 - 4X 3 + 6X 2 - 4X + 1 (modi). 

Since P(X) = P M {X) (mod I), it follows that 

4ci + 2c 2 = (2ci + c 2 ) 2 - c 2 L> = 4 (modi). 

Assume £> D. Then 

ci = 1 (modi), c 2 = (modi). 

Now 

c 2 (8a + 46) + C3C4 {4b(D + 1) + 8a) 

+c 2 (o(3.D + l) + 2a( J D + l)) = (modi) 
44b + 8c 3 c 4 (a + 6) + 4 (H D + 3) + 4a) = (mod I). 

Therefore 

(10) 44a + 2c 3 c 4 b{D-l) + 4(a + b)(D-l) = (modi), 

4c 3 o + 8c 3 c 4 (a + 6) + 4 (K D + 3) + 4a) ee (mod I). 

It follows that 

(b 2 {D - 1) - 4a(a + &))(2c 3 c 4 - 4) = (mod I). 

Notice that 

Aa{a + b)-b 2 (D-l)=A^a + b l -±^^j ^a + b^—j^-j > 0. 

Now assume I > 4a (a + b) - b 2 (D - 1). Then 

2c 3 c 4 — c 2 ee (mod I). 

Thus either c 4 ee (mod I) or c 4 ee 2c 3 (mod I). 

Assume I > a. If c 4 ee (mod I), then c 2 = (mod I) by equation lfT0|) . i.e. 
c 3 ee (modi). This contradicts gcd(c 3 ,c 4 ) = 0. So c 4 ee; (modi). Then 
c 4 ee 2c 3 (mod I). From equation (fTO)) it follows that 

4(2b{D - 1) + aD) ee (modi), 

i.e. c 4 ee (mod I) if I > 2o(D - 1) + aD. But then c 3 ee c 4 ee (mod I), 
a contradiction. □ 
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Remark 8. The condition gcd(c3, a) = 1 may be relaxed. In the proof of theorem[7l 
we only need l\ gcd(c3, C4). 

6. Examples 

By theorem [3 large prime divisors of the order N = \3cQ?p)\ will not divide the 
divisor 712 of N. This is useful if we want to determine the possible cyclic subgroups 
of3c(F P ). 

Example 1. In K = , the prime number 

p = 15314033922152826237436247359259334919 

is the complex norm of the number 

u) = 3913314953099587393- 31 %/2 



+ (4483312578 + 6978049007^2)* V 2 + V^- 
The CM method yields a hyperelliptic genus 2 curve C with Jacobian of order 

N = 234519634968847474692278544362349582158321382804023011720188699330496198748. 
Since N = 2 2 • 7 3 • 17 • 23 • 4993 • r, where 

r = 87556173808919520163329861675989739433243040373597074857097140343 
is a prime number, either 

3c(^p) - or 0c(F p ) ~Z/n 3 ZxZ/n 4 Z, 

where n 3 e {2, 7, 14}. 



Example 2. In if = Q Uy/7 + VEj , the prime number 

p = 14304107096878940330893123933 
is the complex norm of the number 

lu= - 119599766860084+ 5279155^5 



+ (13860963299 + 4898901569^] i \J 7 + V5. 
The CM method yields a hyperelliptic genus 2 curve C with Jacobian of order 

N = 204607479838989309536748148297333557447111046976589088984. 
Since N = 2 3 • 7 3 • 71 • r, where 

r = 1050217015557576630891205130257738047915611254140091 
is a prime number, either 

dc(V P ) ~ Z/n 3 Z x Z/n 4 Z, 

where 713 G {1, 2, 7, 14}, or 

ac(Fp) ~ Z/2Z x Z/n 3 Z x Z/n 4 Z, 

where rt 3 € {2, 14}. 
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